From 4a301896eb7eb95e619da153e2bc72f9e63492a1 Mon Sep 17 00:00:00 2001
From: Alex Barganier <abarganier@cockroachlabs.com>
Date: Thu, 9 Mar 2023 13:54:31 -0400
Subject: [PATCH] pkg/server: fix `/demologin` to properly redirect to home
 page

With the introduction of the server controller, we introduced a
layer between the HTTP handler and the HTTP server. When this
was introduced, the logic to attempt a login to all tenants
forgot to handle the case for `/demologin` where the status
code is set to a 307 redirect, instead of a 200 status OK.

This broke the redirect piece of the `/demologin` endpoint.

This patch updates the `attemptLoginToAllTenants` HTTP handler
to properly set the 307 response code in the case where the
underlying login function does so on the sessionWriter.

Release note: none
---
 pkg/server/authentication.go         |  2 +-
 pkg/server/server_controller_http.go | 18 +++++++++++++++++-
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/pkg/server/authentication.go b/pkg/server/authentication.go
index 6e4748062cfa..b82f1246a3c4 100644
--- a/pkg/server/authentication.go
+++ b/pkg/server/authentication.go
@@ -240,7 +240,7 @@ func (s *authenticationServer) demoLogin(w http.ResponseWriter, req *http.Reques
 
 	w.Header()["Set-Cookie"] = []string{cookie.String()}
 	w.Header()["Location"] = []string{"/"}
-	w.WriteHeader(302)
+	w.WriteHeader(http.StatusTemporaryRedirect)
 	_, _ = w.Write([]byte("you can use the UI now"))
 }
 
diff --git a/pkg/server/server_controller_http.go b/pkg/server/server_controller_http.go
index 730702a267da..5171715ad55e 100644
--- a/pkg/server/server_controller_http.go
+++ b/pkg/server/server_controller_http.go
@@ -153,6 +153,8 @@ func (c *serverController) attemptLoginToAllTenants() http.Handler {
 		}
 		defer r.Body.Close()
 
+		redirect := false
+		redirectLocation := "/" // default to home page
 		for _, name := range tenantNames {
 			server, err := c.getServer(ctx, name)
 			if err != nil {
@@ -185,6 +187,16 @@ func (c *serverController) attemptLoginToAllTenants() http.Handler {
 					name:      string(name),
 					setCookie: setCookieHeader,
 				})
+				// In the case of /demologin, we want to redirect to the provided location
+				// in the header. If we get back a cookie along with an
+				// http.StatusTemporaryRedirect code, be sure to transfer the response code
+				// along with the Location into the ResponseWriter later.
+				if sw.code == http.StatusTemporaryRedirect {
+					redirect = true
+					if locationHeader, ok := sw.Header()["Location"]; ok && len(locationHeader) > 0 {
+						redirectLocation = locationHeader[0]
+					}
+				}
 			}
 		}
 		// If the map has entries, the method to create the aggregated session should
@@ -217,7 +229,11 @@ func (c *serverController) attemptLoginToAllTenants() http.Handler {
 					return
 				}
 			}
-			w.WriteHeader(http.StatusOK)
+			if redirect {
+				http.Redirect(w, r, redirectLocation, http.StatusTemporaryRedirect)
+			} else {
+				w.WriteHeader(http.StatusOK)
+			}
 		} else {
 			w.WriteHeader(http.StatusUnauthorized)
 		}